Mmmm…Outlook Web Access. Having had to deal with Notes’ pathetic excuse for webmail for the past six months, I was thrilled (thrilled! I say) to get myself some OWA action. "Any browser, and operating system" seems to be a fair statement, and in all cases, it still looks like Outlook. So of course, the next step is to get this baby out on the actual web! And I can think of no way I would do this except through our TMG 2010 server.
Outlook Web Access requires HTTPS connections (and rightfully so) but I like to make things easier on users when I can, so we’re going to publish OWA in stages. We’ll set up two listeners…one for http and one for https. Then we’ll set up a rule that accepts http connections to a short URL and configure this rule to perform our redirect to the https site and include the /owa path. Finally, we’ll set up the rule that will actually publish OWA as usual.
Assumptions
For the work to be performed in this post, we’re assuming you have TMG, a static ip.addr on your Internet connection that is not already configured for some other purpose, that you have a suitable certificate installed on your TMG server, and have added the A record into your external DNS that you want to use for web mail. All of these are fairly easy, but could also take up a post on their own.
Listeners
There are two schools of thought on this, and I have argued this with MSFT in the past. The tin-foil hat brigade wants to only accept https connections to OWA, and require users to type in the https:// and the /owa on the end of the URL. They can want all they want…THEY’RE WRONG! We know that users tend to leave off the protocol, and if we tell them to type slash Oh Double-U Ay they will probably wind up with \0uu8 so we’re not even going to try. We’ll just set up a rule that accepts a simple URL over http and redirects them to another rule that connects them to OWA over https. To do that, we need two listeners.
- Log onto TMG, browse down to the Firewall Policy, and in the actions pane (far right) click on Toolbox.
- Click New, Web Listener.
- Give it a name like allpurposehttp, configure it to use http, pick your external address, and set Authentication to “No Authentication.”
- Create another, call it allpurposehttps, configure it to use https, pick your external address, your certificate (I recommend a wildcard cert so you can use this for many things) and set Authentication to “No Authentication.” We’re going to let OWA handle the authentication, so no sense making the user also authenticate to TMG.
HTTP rule
Now let’s create our first rule. Remember, this one will accept a simple URL over http, and then redirect us to our proper OWA connection. We’ll use webmail.retrohack.com as the URL for our OWA.
- In our TMG console, browse to Firewall Policy, right-click it, then click New, Web Site Publishing Rule…
- In the first panel of the wizard, name it something relevant, and click Next.
- For select a Rule Action, click Deny and then click Next.
- In Publishing Type, just click Next.
- In Server Connection Security, just click Next. (Remember this is a Deny rule, so none of this really matters.
- In Internal Publishing Details, type in anything for Internal site name, and click Next.
- In Internal Publishing Details, just click Next.
- In Public Name Details, type in the short URL you want to give out to users. Then click Next.
- In Select Web Listener, pick your allpurposehttp listener from the drop down list, and then click Next.
- In Authentication Delegation, just click Next.
- In User Sets, make sure it shows "All Users" and click Next.
- Click Finish, and then right-click your new rule and choose Properties.
- Go to the Action Tab, select the check box for "Redirect HTTP requests to this Web page:" and fill in the URL for OWA, including the https:// and the /owa.
- Click OK, then click Apply up at the top, enter your change documentation, and hit OK.
OWA rule
Now we can setup our publishing rule for OWA.
- Once again, in our TMG console, browse to Firewall Policy, right-click it, then click New, and this time click Exchange Web Client Access Publishing Rule…
- Give your rule a name and then click Next.
- Pick Exchange 2010 from the drop down list, and select Outlook Web Access, then click Next.
- On Publishing Type, just click Next (unless of course, you actually have a farm of OWA servers.)
- On Server Connection Security, just click Next (default is to use SSL.)
- On the Internal Publishing Details, fill in the FQDN or hostname of your OWA server. No protocol, no /OWA, then click Next.
- In the Public Name Details, fill in the external FQDN…again, no protocol or path. Click Next.
- In the Select Web Listener, pick your https listener from the drop down list, and the click Next.
- In Authentication Delegation, select "No delegation, but client may authenticate directly" and then click Next.
- In User Sets, make sure "All Users" is listed and then click Next.
- In Completing the New Exchange Publishing Rule Wizard, click Test Rule and investigate any errors. If all shows green, click Finish.
- Up at the top, click Apply, enter your change control reason, and then hit OK.
Now you just need to hop out to an external machine, open a browser and enter your short URL…no protocol, no /owa. If you did everything above correctly, and your DNS records are in place, you see your browser redirected to your https site and then you’ll see the logon form for OWA. Win!
With this, we get the double-goodness of using simple URLs for web mail that take care of securely connecting our users automagickally. It’s not every day that we get both what we want and what we need at the same time. In honour of the rare occurrence, here’s a little jam to get your day going. I saw INXS from the front row at Radford College in 1987 when they had no sponsor, and again six months later when MTV was footing the bill. They were just as awesome the second time around, but a lot more personal from ten feet away.
direct link for RSS and email subscribers…http://www.youtube.com/watch?v=vSME53nL8tg
Do you prefer to make it simpler for your users, or to require longer URLs with https?
You might also enjoy:
